Google Engineering Lead on Lessons Learned From Chrome's HTTPS Push

BLACK HAT USA 2018 – Las Vegas – Parisa Tabriz, director of engineering at Google, today shared the story of how the company made the switch to enforce HTTPS in Chrome, as well as lessons she learned in collaboration, management, and perseverance over the course of the multiyear project.

As Black Hat founder Jeff Moss put it in his introduction, there are "maybe 20 companies in the world who are in a position to actually do something about raising the level of security and resiliency for all of us."

Google is one of them. "Anything Google does that is an improvement essentially impacts us all," Moss added. Recently, for example, the company reached the end of a years-long initiative to label HTTP websites as "not secure" in an effort to push Web developers to embrace HTTPS encryption. The change went into effect last month with the release of Chrome 68; now HTTP sites display an alert to visitors.

The change wasn’t an easy one, as conference attendees learned today during Tabriz's keynote. She began her talk by detailing what she believes are the key steps to success in information security, and then weaved these points into the story of how HTTPS enforcement went from bold idea to reality.

Tabriz's first – and foremost – point: "Identify and tackle the root cause of the problems we uncover and not just be satisfied with isolated fixes."

She pointed to Project Zero, a team of Google security analysts tasked with finding zero-day bugs. The group was created in 2014 to hunt vulnerabilities in operating systems, browsers, antivirus software, and other tech. Its goal is to better understand offensive security as a means of understanding exploitation against defenders and ultimately lead to structural improvement and better security, Tabriz explained.

Her second point: "We have to be more intentional in how we improve long-arc defensive projects."

Staying motivated to see an effort through over a long period of time, as certain projects can take years depending on their scale, is crucial. As part of this, Tabriz emphasized the importance of identifying milestones, working toward those milestones, and celebrating progress along the way.

Her third point: build a coalition of champions and supporters outside security so the team's efforts are successful. "There's an understanding we're generally working on similar goals," she said, adding that the cost of building exploits against high-profile targets has increased due to the efforts of people working together to address root causes of bad security.

Enforcing HTTPS: Idea to ImplementationTabriz's ideas are evident in the story of Google's move to enforce HTTPS on the Chrome browser.

"We wanted to make the risk of unencrypted traffic more comprehensible and also more consistent," she explained. The team had a clear vision of what that state should look like but knew it would take many years to achieve it. After all, the Web isn't an entity owned by any one person or institution, she noted, and they had to navigate an "ecosystem of constraints and incentives" – including industry organizations and browsers with different standards, proprietary ideas, and technology – in the process.

"To make a change like this it had to be gradual, and it had to be very intentional," Tabriz said. The process began back in 2014 with brainstorming how to change the browser's user interface, and continued in 2015 with a public UI proposal. Going public with the idea led to support and sentiment from the broader infosec community, which helped convince Chrome leadership this was worth pursuing.

Over the course of the project, Tabriz emphasizes the importance of celebrating milestones to keep up morale. The team created stickers of icons from their UI designs, for example, when those were finalized.

Tabriz also pointed to the myriad ways in which their work could have failed to demonstrate lessons learned. Management could have killed the project, for example, when the timeline turned out to be years longer than anticipated. Because the team was able to regularly articulate progress and demonstrate positive impact in terms of overall code health, they were never told to discontinue the project. When the benefits aren't immediately clear, it's important to get people invested in the project's success.

The HTTPS push also could have failed without broader support from Google's leadership and external parties. The team worked with several Web standards groups to communicate the change, she explained, and the ability to kill progress could have come from outside the company.

"We rely on everyone working in technology to clear the path for a safer future," Tabriz said.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

You both make some valid points; but I think the choice of vendors is less free than assumed. There are certainly restrictions in the corporate and academic environments (some choices are not allowed, others forced - as they are necessary to certain, required, applications). Even for individuals, many will use the browser best suited to their OS, or will choose to stay with their OS's browser so as not to provide even more data to yet another IT mega-corporation. Are you going to go through the process of reconfiguring and learning new habits, every time your current browser vendor changes its policies or practices (assuming you'll even be aware of it)? Maybe "bullying" isn't the right word, but "heavy-handed" - definitely.

There are just too many self-serving motivations for any individuals or corporate, political or activist entities, to be trusted with being the guardians of the cyber-universe, to dictate what is or isn't moral, ethical or otherwise acceptable behavior. Yet, there is a dire need to hold individuals, groups, transient associations and other entities responsible for clear violations of the most fundamental principles of moral and ethical behavior. Perhaps the problem lies in the tendency to redefine those traditional principles to suit whatever self-serving motivations currently serve us best.

I guess we'll agree to disagree on this. My thoughts on a browser update regarding a security alert doesn't amount to bullying. Users are free to download and use any other browser besides chrome. If, on the other hand, google had a monopoly on browsers, the point could be made that it's heavy-handed.

It is not the site which is insecure, but the communucations: from your browser to that site which, by the way Google is monitoring and deciding good/bad. Reality is the internet is not secure. We see daily sites and large corporations, Experion, Target, Facebook, etc., for example, as having HTTPS and insecure with data breaches. Facebook having HTTPS is before congress to explain why they are insecure.

A notification that any data to and from a site is not secure, means that Google is monitoring users activity. That alone should make you nervous. If it finds a site without HTRTPS, it can exclude it from it's search engine. That should be sufficient. But Google doesn't define insecure as having poor data security it defines dangerous as not having HTTPS.

Google is, in it's own discretion, is marking innocnt users of the internet as insecure and also in it's own hubris decided that it is the internet's sole policeman. If it wants to define a site as insecure it should strt with sites that don't protect data.

I disagree. The reality is that "normal" users have little insight into what HTTPS means vs HTTP and how the transmissions differ regarding their personal and identifying information when using the web. An extra click or so to get to the content of an "insecure" site which also advises users that a site isn't secure is good for everyone. It forces sight owners to comply with basic security measures to protect user information in transit - especially in light of today's environment. It also educates users on the inherent threats in HTTP. To claim censorship is stretching a bit. #IMHO

There is no doubt that securing data in transmission is a good thing. However. Google's dominant position does not give them the right to block or interrupt a user from reaching any site.

Though you may give your browser instructions to bypass their "WARNING" it still amounts to disruption of business, and a form of censorship.

In simple terms, no matter how good the intention, Google is bullying. It is internet bullying; it is a form of censorship and no matter who or why it is wrong to deny or impede legitimate and legal entities from conducting discource.

Encryption and access controls are considered to be the ultimate safeguards to ensure the security and confidentiality of data, which is why they're mandated in so many compliance and regulatory standards. While the cybersecurity market boasts a wide variety of encryption technologies, many data breaches reveal that sensitive and personal data has often been left unencrypted and, therefore, vulnerable.

An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restricti...

A flaw was found in the Linux kernel in the NFS41+ subsystem. NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel id and cause a use-after-free. Thus a malicious container user can cause a host kernel memory corruption and a system ...

An issue was discovered on D-Link DVA-5592 A1_WI_20180823 devices. If the PIN of the page &quot;/ui/cbpc/login&quot; is the default Parental Control PIN (0000), it is possible to bypass the login form by editing the path of the cookie &quot;sid&quot; generated by the page. The attacker will have acc...